move core impl to coderd

ethanndickson · ethanndickson · commit 8102c71ceacd · 2024-09-30T12:12:31.000Z
diff --git a/cli/server.go b/cli/server.go
@@ -719,6 +719,12 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				options.Database = dbmetrics.New(options.Database, options.PrometheusRegistry)
 			}
 
+			wsUpdates, err := coderd.NewUpdatesProvider(ctx, options.Database, options.Pubsub)
+			if err != nil {
+				return xerrors.Errorf("create workspace updates provider: %w", err)
+			}
+			options.WorkspaceUpdatesProvider = wsUpdates
+
 			var deploymentID string
 			err = options.Database.InTx(func(tx database.Store) error {
 				// This will block until the lock is acquired, and will be
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -228,6 +228,8 @@ type Options struct {
 
 	WorkspaceAppsStatsCollectorOptions workspaceapps.StatsCollectorOptions
 
+	WorkspaceUpdatesProvider tailnet.WorkspaceUpdatesProvider
+
 	// This janky function is used in telemetry to parse fields out of the raw
 	// JWT. It needs to be passed through like this because license parsing is
 	// under the enterprise license, and can't be imported into AGPL.
@@ -591,12 +593,13 @@ func New(options *Options) *API {
 		panic("CoordinatorResumeTokenProvider is nil")
 	}
 	api.TailnetClientService, err = tailnet.NewClientService(tailnet.ClientServiceOptions{
-		Logger:                  api.Logger.Named("tailnetclient"),
-		CoordPtr:                &api.TailnetCoordinator,
-		DERPMapUpdateFrequency:  api.Options.DERPMapUpdateFrequency,
-		DERPMapFn:               api.DERPMap,
-		NetworkTelemetryHandler: api.NetworkTelemetryBatcher.Handler,
-		ResumeTokenProvider:     api.Options.CoordinatorResumeTokenProvider,
+		Logger:                   api.Logger.Named("tailnetclient"),
+		CoordPtr:                 &api.TailnetCoordinator,
+		DERPMapUpdateFrequency:   api.Options.DERPMapUpdateFrequency,
+		DERPMapFn:                api.DERPMap,
+		NetworkTelemetryHandler:  api.NetworkTelemetryBatcher.Handler,
+		ResumeTokenProvider:      api.Options.CoordinatorResumeTokenProvider,
+		WorkspaceUpdatesProvider: api.Options.WorkspaceUpdatesProvider,
 	})
 	if err != nil {
 		api.Logger.Fatal(api.ctx, "failed to initialize tailnet client service", slog.Error(err))
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -159,6 +159,8 @@ type Options struct {
 	WorkspaceUsageTrackerFlush         chan int
 	WorkspaceUsageTrackerTick          chan time.Time
 
+	WorkspaceUpdatesProvider tailnet.WorkspaceUpdatesProvider
+
 	NotificationsEnqueuer notifications.Enqueuer
 }
 
@@ -251,6 +253,14 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 		options.NotificationsEnqueuer = new(testutil.FakeNotificationsEnqueuer)
 	}
 
+	if options.WorkspaceUpdatesProvider == nil {
+		var err error
+		ctx, cancel := context.WithCancel(context.Background())
+		options.WorkspaceUpdatesProvider, err = coderd.NewUpdatesProvider(ctx, options.Database, options.Pubsub)
+		require.NoError(t, err)
+		t.Cleanup(cancel)
+	}
+
 	accessControlStore := &atomic.Pointer[dbauthz.AccessControlStore]{}
 	var acs dbauthz.AccessControlStore = dbauthz.AGPLTemplateAccessControlStore{}
 	accessControlStore.Store(&acs)
@@ -524,6 +534,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 			HealthcheckTimeout:                 options.HealthcheckTimeout,
 			HealthcheckRefresh:                 options.HealthcheckRefresh,
 			StatsBatcher:                       options.StatsBatcher,
+			WorkspaceUpdatesProvider:           options.WorkspaceUpdatesProvider,
 			WorkspaceAppsStatsCollectorOptions: options.WorkspaceAppsStatsCollectorOptions,
 			AllowWorkspaceRenames:              options.AllowWorkspaceRenames,
 			NewTicker:                          options.NewTicker,
diff --git a/coderd/workspaces.go b/coderd/workspaces.go
@@ -2146,14 +2146,28 @@ func (api *API) tailnet(rw http.ResponseWriter, r *http.Request) {
 
 	go httpapi.Heartbeat(ctx, conn)
 	err = api.TailnetClientService.ServeUserClient(ctx, version, wsNetConn, tailnet.ServeUserClientOptions{
-		PeerID:   peerID,
-		UserID:   owner.ID,
-		Subject:  &ownerRoles,
-		Authz:    api.Authorizer,
-		Database: api.Database,
+		PeerID: peerID,
+		UserID: owner.ID,
+		AuthFn: api.authAgentFn(&ownerRoles),
 	})
 	if err != nil && !xerrors.Is(err, io.EOF) && !xerrors.Is(err, context.Canceled) {
 		_ = conn.Close(websocket.StatusInternalError, err.Error())
 		return
 	}
 }
+
+// authAgentFn accepts a subject, and returns a function that authorizes against
+// passed agent IDs.
+func (api *API) authAgentFn(owner *rbac.Subject) func(context.Context, uuid.UUID) error {
+	return func(ctx context.Context, agentID uuid.UUID) error {
+		ws, err := api.Database.GetWorkspaceByAgentID(ctx, agentID)
+		if err != nil {
+			return xerrors.Errorf("get workspace by agent id: %w", err)
+		}
+		err = api.Authorizer.Authorize(ctx, *owner, policy.ActionSSH, ws.RBACObject())
+		if err != nil {
+			return xerrors.Errorf("workspace agent not found or you do not have permission: %w", sql.ErrNoRows)
+		}
+		return nil
+	}
+}
diff --git a/coderd/workspaceupdates.go b/coderd/workspaceupdates.go
@@ -1,4 +1,4 @@
-package tailnet
+package coderd
 
 import (
 	"context"
@@ -12,6 +12,7 @@ import (
 	"github.com/coder/coder/v2/coderd/database/pubsub"
 	"github.com/coder/coder/v2/coderd/util/slice"
 	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/tailnet"
 	"github.com/coder/coder/v2/tailnet/proto"
 )
 
@@ -54,7 +55,7 @@ func convertRows(v []database.GetWorkspacesAndAgentsRow) workspacesByOwner {
 
 func convertStatus(status database.ProvisionerJobStatus, trans database.WorkspaceTransition) proto.Workspace_Status {
 	wsStatus := codersdk.ConvertWorkspaceStatus(codersdk.ProvisionerJobStatus(status), codersdk.WorkspaceTransition(trans))
-	return WorkspaceStatusToProto(wsStatus)
+	return tailnet.WorkspaceStatusToProto(wsStatus)
 }
 
 type sub struct {
@@ -75,30 +76,23 @@ func (s *sub) send(all workspacesByOwner) {
 	s.tx <- update
 }
 
-type WorkspaceUpdatesProvider interface {
-	Subscribe(peerID uuid.UUID, userID uuid.UUID) (<-chan *proto.WorkspaceUpdate, error)
-	Unsubscribe(peerID uuid.UUID)
-	Stop()
-}
-
-type WorkspaceStore interface {
-	GetWorkspaceByAgentID(ctx context.Context, agentID uuid.UUID) (database.GetWorkspaceByAgentIDRow, error)
+type UpdateQuerier interface {
 	GetWorkspacesAndAgents(ctx context.Context) ([]database.GetWorkspacesAndAgentsRow, error)
 }
 
 type updatesProvider struct {
 	mu sync.RWMutex
-	db WorkspaceStore
+	db UpdateQuerier
 	ps pubsub.Pubsub
 	// Peer ID -> subscription
 	subs     map[uuid.UUID]*sub
 	latest   workspacesByOwner
 	cancelFn func()
 }
 
-var _ WorkspaceUpdatesProvider = (*updatesProvider)(nil)
+var _ tailnet.WorkspaceUpdatesProvider = (*updatesProvider)(nil)
 
-func NewUpdatesProvider(ctx context.Context, db WorkspaceStore, ps pubsub.Pubsub) (WorkspaceUpdatesProvider, error) {
+func NewUpdatesProvider(ctx context.Context, db UpdateQuerier, ps pubsub.Pubsub) (tailnet.WorkspaceUpdatesProvider, error) {
 	rows, err := db.GetWorkspacesAndAgents(ctx)
 	if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
 		return nil, err
@@ -176,7 +170,6 @@ func (u *updatesProvider) Unsubscribe(peerID uuid.UUID) {
 	}
 	close(sub.tx)
 	delete(u.subs, peerID)
-	return
 }
 
 func produceUpdate(old, new workspacesByID) *proto.WorkspaceUpdate {
@@ -192,23 +185,23 @@ func produceUpdate(old, new workspacesByID) *proto.WorkspaceUpdate {
 		// Upsert both workspace and agents if the workspace is new
 		if !exists {
 			out.UpsertedWorkspaces = append(out.UpsertedWorkspaces, &proto.Workspace{
-				Id:     UUIDToByteSlice(wsID),
+				Id:     tailnet.UUIDToByteSlice(wsID),
 				Name:   newWorkspace.WorkspaceName,
 				Status: convertStatus(newWorkspace.JobStatus, newWorkspace.Transition),
 			})
 			for _, agent := range newWorkspace.Agents {
 				out.UpsertedAgents = append(out.UpsertedAgents, &proto.Agent{
-					Id:          UUIDToByteSlice(agent.ID),
+					Id:          tailnet.UUIDToByteSlice(agent.ID),
 					Name:        agent.Name,
-					WorkspaceId: UUIDToByteSlice(wsID),
+					WorkspaceId: tailnet.UUIDToByteSlice(wsID),
 				})
 			}
 			continue
 		}
 		// Upsert workspace if the workspace is updated
 		if !newWorkspace.Equal(oldWorkspace) {
 			out.UpsertedWorkspaces = append(out.UpsertedWorkspaces, &proto.Workspace{
-				Id:     UUIDToByteSlice(wsID),
+				Id:     tailnet.UUIDToByteSlice(wsID),
 				Name:   newWorkspace.WorkspaceName,
 				Status: convertStatus(newWorkspace.JobStatus, newWorkspace.Transition),
 			})
@@ -217,16 +210,16 @@ func produceUpdate(old, new workspacesByID) *proto.WorkspaceUpdate {
 		add, remove := slice.SymmetricDifference(oldWorkspace.Agents, newWorkspace.Agents)
 		for _, agent := range add {
 			out.UpsertedAgents = append(out.UpsertedAgents, &proto.Agent{
-				Id:          UUIDToByteSlice(agent.ID),
+				Id:          tailnet.UUIDToByteSlice(agent.ID),
 				Name:        agent.Name,
-				WorkspaceId: UUIDToByteSlice(wsID),
+				WorkspaceId: tailnet.UUIDToByteSlice(wsID),
 			})
 		}
 		for _, agent := range remove {
 			out.DeletedAgents = append(out.DeletedAgents, &proto.Agent{
-				Id:          UUIDToByteSlice(agent.ID),
+				Id:          tailnet.UUIDToByteSlice(agent.ID),
 				Name:        agent.Name,
-				WorkspaceId: UUIDToByteSlice(wsID),
+				WorkspaceId: tailnet.UUIDToByteSlice(wsID),
 			})
 		}
 	}
@@ -235,15 +228,15 @@ func produceUpdate(old, new workspacesByID) *proto.WorkspaceUpdate {
 	for wsID, oldWorkspace := range old {
 		if _, exists := new[wsID]; !exists {
 			out.DeletedWorkspaces = append(out.DeletedWorkspaces, &proto.Workspace{
-				Id:     UUIDToByteSlice(wsID),
+				Id:     tailnet.UUIDToByteSlice(wsID),
 				Name:   oldWorkspace.WorkspaceName,
 				Status: convertStatus(oldWorkspace.JobStatus, oldWorkspace.Transition),
 			})
 			for _, agent := range oldWorkspace.Agents {
 				out.DeletedAgents = append(out.DeletedAgents, &proto.Agent{
-					Id:          UUIDToByteSlice(agent.ID),
+					Id:          tailnet.UUIDToByteSlice(agent.ID),
 					Name:        agent.Name,
-					WorkspaceId: UUIDToByteSlice(wsID),
+					WorkspaceId: tailnet.UUIDToByteSlice(wsID),
 				})
 			}
 		}
diff --git a/coderd/workspaceupdates_test.go b/coderd/workspaceupdates_test.go
@@ -1,4 +1,4 @@
-package tailnet_test
+package coderd_test
 
 import (
 	"context"
@@ -9,8 +9,10 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 
+	"github.com/coder/coder/v2/coderd"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/pubsub"
+	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/tailnet"
 	"github.com/coder/coder/v2/tailnet/proto"
@@ -78,7 +80,7 @@ func TestWorkspaceUpdates(t *testing.T) {
 			cbs: map[string]pubsub.Listener{},
 		}
 
-		updateProvider, err := tailnet.NewUpdatesProvider(ctx, db, ps)
+		updateProvider, err := coderd.NewUpdatesProvider(ctx, db, ps)
 		require.NoError(t, err)
 
 		ch, err := updateProvider.Subscribe(peerID, ownerid)
@@ -217,7 +219,7 @@ func TestWorkspaceUpdates(t *testing.T) {
 			cbs: map[string]pubsub.Listener{},
 		}
 
-		updateProvider, err := tailnet.NewUpdatesProvider(ctx, db, ps)
+		updateProvider, err := coderd.NewUpdatesProvider(ctx, db, ps)
 		require.NoError(t, err)
 
 		ch, err := updateProvider.Subscribe(peerID, ownerid)
@@ -257,15 +259,18 @@ type mockWorkspaceStore struct {
 	orderedRows []database.GetWorkspacesAndAgentsRow
 }
 
-var _ tailnet.WorkspaceStore = (*mockWorkspaceStore)(nil)
-
-func (*mockWorkspaceStore) GetWorkspaceByAgentID(context.Context, uuid.UUID) (database.GetWorkspaceByAgentIDRow, error) {
-	return database.GetWorkspaceByAgentIDRow{}, nil
+// GetWorkspaceRBACByAgentID implements tailnet.UpdateQuerier.
+func (*mockWorkspaceStore) GetWorkspaceRBACByAgentID(context.Context, uuid.UUID) (rbac.Objecter, error) {
+	panic("unimplemented")
 }
-func (db *mockWorkspaceStore) GetWorkspacesAndAgents(context.Context) ([]database.GetWorkspacesAndAgentsRow, error) {
-	return db.orderedRows, nil
+
+// GetWorkspacesAndAgents implements tailnet.UpdateQuerier.
+func (m *mockWorkspaceStore) GetWorkspacesAndAgents(context.Context) ([]database.GetWorkspacesAndAgentsRow, error) {
+	return m.orderedRows, nil
 }
 
+var _ coderd.UpdateQuerier = (*mockWorkspaceStore)(nil)
+
 type mockPubsub struct {
 	cbs map[string]pubsub.Listener
 }
diff --git a/tailnet/service.go b/tailnet/service.go
@@ -17,7 +17,6 @@ import (
 
 	"cdr.dev/slog"
 	"github.com/coder/coder/v2/apiversion"
-	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/tailnet/proto"
 	"github.com/coder/quartz"
 )
@@ -40,6 +39,12 @@ func WithStreamID(ctx context.Context, streamID StreamID) context.Context {
 	return context.WithValue(ctx, streamIDContextKey{}, streamID)
 }
 
+type WorkspaceUpdatesProvider interface {
+	Subscribe(peerID uuid.UUID, userID uuid.UUID) (<-chan *proto.WorkspaceUpdate, error)
+	Unsubscribe(peerID uuid.UUID)
+	Stop()
+}
+
 type ClientServiceOptions struct {
 	Logger                   slog.Logger
 	CoordPtr                 *atomic.Pointer[Coordinator]
@@ -114,11 +119,9 @@ func (s *ClientService) ServeClient(ctx context.Context, version string, conn ne
 }
 
 type ServeUserClientOptions struct {
-	PeerID   uuid.UUID
-	UserID   uuid.UUID
-	Subject  *rbac.Subject
-	Authz    rbac.Authorizer
-	Database WorkspaceStore
+	PeerID uuid.UUID
+	UserID uuid.UUID
+	AuthFn func(context.Context, uuid.UUID) error
 }
 
 func (s *ClientService) ServeUserClient(ctx context.Context, version string, conn net.Conn, opts ServeUserClientOptions) error {
@@ -130,10 +133,8 @@ func (s *ClientService) ServeUserClient(ctx context.Context, version string, con
 	switch major {
 	case 2:
 		auth := ClientUserCoordinateeAuth{
-			UserID:      opts.UserID,
-			RBACSubject: opts.Subject,
-			Authz:       opts.Authz,
-			Database:    opts.Database,
+			UserID: opts.UserID,
+			AuthFn: opts.AuthFn,
 		}
 		streamID := StreamID{
 			Name: "client",
diff --git a/tailnet/tunnel.go b/tailnet/tunnel.go
@@ -8,8 +8,6 @@ import (
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
 
-	"github.com/coder/coder/v2/coderd/rbac"
-	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/tailnet/proto"
 )
 
@@ -95,10 +93,8 @@ func (a AgentCoordinateeAuth) Authorize(_ context.Context, req *proto.Coordinate
 }
 
 type ClientUserCoordinateeAuth struct {
-	UserID      uuid.UUID
-	RBACSubject *rbac.Subject
-	Authz       rbac.Authorizer
-	Database    WorkspaceStore
+	UserID uuid.UUID
+	AuthFn func(context.Context, uuid.UUID) error
 }
 
 func (a ClientUserCoordinateeAuth) Authorize(ctx context.Context, req *proto.CoordinateRequest) error {
@@ -107,11 +103,7 @@ func (a ClientUserCoordinateeAuth) Authorize(ctx context.Context, req *proto.Coo
 		if err != nil {
 			return xerrors.Errorf("parse add tunnel id: %w", err)
 		}
-		row, err := a.Database.GetWorkspaceByAgentID(ctx, uid)
-		if err != nil {
-			return xerrors.Errorf("get workspace by agent id: %w", err)
-		}
-		err = a.Authz.Authorize(ctx, *a.RBACSubject, policy.ActionSSH, row.Workspace.RBACObject())
+		err = a.AuthFn(ctx, uid)
 		if err != nil {
 			return xerrors.Errorf("workspace agent not found or you do not have permission: %w", sql.ErrNoRows)
 		}

Original file line number	Diff line number	Diff line change
`@@ -8,8 +8,6 @@ import (`
`8`	`8`	`"github.com/google/uuid"`
`9`	`9`	`"golang.org/x/xerrors"`
`10`	`10`
`11`		`- "github.com/coder/coder/v2/coderd/rbac"`
`12`		`- "github.com/coder/coder/v2/coderd/rbac/policy"`
`13`	`11`	`"github.com/coder/coder/v2/tailnet/proto"`
`14`	`12`	`)`
`15`	`13`
`@@ -95,10 +93,8 @@ func (a AgentCoordinateeAuth) Authorize(_ context.Context, req *proto.Coordinate`
`95`	`93`	`}`
`96`	`94`
`97`	`95`	`type ClientUserCoordinateeAuth struct {`
`98`		`- UserID uuid.UUID`
`99`		`- RBACSubject *rbac.Subject`
`100`		`- Authz rbac.Authorizer`
`101`		`- Database WorkspaceStore`
	`96`	`+ UserID uuid.UUID`
	`97`	`+ AuthFn func(context.Context, uuid.UUID) error`
`102`	`98`	`}`
`103`	`99`
`104`	`100`	`func (a ClientUserCoordinateeAuth) Authorize(ctx context.Context, req *proto.CoordinateRequest) error {`
`@@ -107,11 +103,7 @@ func (a ClientUserCoordinateeAuth) Authorize(ctx context.Context, req *proto.Coo`
`107`	`103`	`if err != nil {`
`108`	`104`	`return xerrors.Errorf("parse add tunnel id: %w", err)`
`109`	`105`	`}`
`110`		`- row, err := a.Database.GetWorkspaceByAgentID(ctx, uid)`
`111`		`- if err != nil {`
`112`		`- return xerrors.Errorf("get workspace by agent id: %w", err)`
`113`		`- }`
`114`		`- err = a.Authz.Authorize(ctx, *a.RBACSubject, policy.ActionSSH, row.Workspace.RBACObject())`
	`106`	`+ err = a.AuthFn(ctx, uid)`
`115`	`107`	`if err != nil {`
`116`	`108`	`return xerrors.Errorf("workspace agent not found or you do not have permission: %w", sql.ErrNoRows)`
`117`	`109`	`}`